Virtually every business, charity and public sector organisation is, in some way, digital. As high-profile incidents have shown, however, cyber-attacks exploiting this digitalisation have left citizens and businesses vulnerable and exposed to hostile actors as they move more and more of their lives and operations online.
Last year, UK businesses experienced approximately 7.78 million cybercrimes. Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months.[1]
Meanwhile, the threat landscape is changing and becoming more complex, with emerging technologies such as Artificial Intelligence enabling cyber attackers to mount ever more sophisticated campaigns against organisations. UK cyber firm NCC Group’s latest insights show that ransomware attacks increased by 84% last year[3], with the UK the second most targeted country for such attacks, behind only the US [4].
More needs to be done to make us all safer online while also enhancing our national cyber resiliency, which is why I led a Westminster Hall debate recently on the critical issue of cyber security.
To tackle cybercrime, a close partnership between the public and private sector is an important part of the UK’s “whole of society” approach – where the UK’s cyber works closely with law enforcement, the public sector, academia and private businesses to ensure the UK remains confident, capable and resilient against cyber-attacks. This includes using vulnerability researchers – also known as ‘ethical hackers’ – who play a crucial role in identifying security vulnerabilities in products, software and services, and work with manufacturers and vendors to fix them before they can be exploited by threatening actors for nefarious purposes.
However, outdated legislation has failed to keep up with the fast-moving digital world, which has hamstringed connected efforts to protect individuals, businesses and national security alike.
The first change urgently needed to protect legitimate cybersecurity work is reform of the UK’s out of date Computer Misuse Act 1990, the main cybersecurity act that regulates the UK’s digital relationship between individuals and malicious parties.
The Act was written over 30 years ago, when just 0.5% of the world’s population had access to the internet, and blanketly prohibits all forms of unauthorised access to computer material, irrespective of intent or motive. In today’s context, it is no longer fit for purpose and significantly hinders the work of the UK’s cyber defenders, these ‘ethical hackers,’ from doing all they can to protect the UK.
A second area where government must prioritise reform is in increasing the scope of the Network and Information Systems (NIS) regulations – which set the cyber rules for our critical infrastructure, both virtual and physical – to include more organisations and require a broader range of incidents to be reported.
It is also vital to improve small businesses’ and charities’ access to cybersecurity. Despite 6 in 10 small businesses being victim to a cyberattack last year[13], many of those businesses lacked the skills and budgets to implement proportionate cyber protections, leaving them exposed.
To tackle this problem, the Government should work with technology providers to embed cyber security in their products – particularly those most relied upon by small organisations. The Government should also look at how it can support smaller firms’ response and recovery to cyberattacks. This could include establishing a ‘first responder’ service that provides proportionate support to small businesses that have been victims of cyberattacks, similar to Australia’s recently announced Small Business Cyber Security Resilience Service[15].
Finally, the government must look at how it enhances the UK’s cyber skills. Never has it been so important to equip individuals – across organisations of all sizes and at all levels of seniority – with the cyber literacy they need to make decisions about their personal, organisational and even national cyber resilience.
While we should be proud of the UK’s role as a responsible global cyber power, we should also remember that there is widespread, cross-party, and cross-societal consensus on the importance of cyber security as a fundamental pillar for thriving and prosperous digital societies and economies. More must be done to keep the public safe and secure in cyberspace, and this starts with ensuring that government policy keeps pace with technology and the ever-changing cyber landscape.